Steganography Dr. Natarajan Meghanathan Associate Professor of Computer Science Jackson State University, Jackson MS 39217 E-mail: [email protected] Steganography • Steganography is the science of hiding information by embedding the hidden (secret) message within a cover media (for example, an image, audio or video carrier file) in such a way that the hidden information cannot be easily perceived to exist for the unintended recipients of the cover media. • Steganography hides the fact that the secret communication does not exist. • Different from Cryptography: – Cryptography techniques have been widely used to encrypt the plaintext data, transfer the ciphertext over the Internet and decrypt the ciphertext to extract the plaintext at the receiver side. – However, with the ciphertext not really making much sense when interpreted as it is, a hacker or an intruder can easily perceive that the information being sent on the channel has been encrypted and is not the plaintext. – This can naturally raise the curiosity level of a malicious hacker or intruder to conduct cryptanalysis attacks on the ciphertext (i.e., analyze the ciphertext vis-à-vis the encryption algorithms and decrypt the ciphertext completely or partially). Steganography: Hiding Model • Steganography takes advantage of the redundancy of data in the cover media to insert the “extra” information so that there could be no perceptible change to the cover media. Encryption Key, other keys Steganography Cover Media Embedding Stego Media Algorithm Information to Hide Steganography: Extraction Model • The extraction process should be possible without the cover. • The extraction algorithm can also be applied on any cover, whether or not it contains a secret message. Encryption Key, other keys Steganography Stego Media Extraction Cover Media Algorithm Information to Hide Information Hiding in Noisy Data • The cover media (images or digital sound) typically has redundancies in the form of a noise component (i.e., insignificant parts) and the general principle underlying most steganographic methods is to place the secret message in the noise component of the signal. • The cover can be typically considered as a sequence of bits – In the case of a digital sound, this sequence is the sequence of samples over time – In the case of a digital image, a sequence can be obtained by vectorizing the image (i.e., by lining up the gray-scale or color values in a left-to-right and top-to-bottom order) • A simple way to hide information in a sequence of binary numbers (bytes) is to replace the least significant bit (LSB) of each byte with a bit of the secret message or replace the LSB of bytes according to a sequence of pseudo random numbers generated at both sides. • For better security, the embedding algorithm should not significantly alter the statistical profile of the cover. Random Access Cover vs. Stream Cover • A cover is called a random access cover if the sender has access to the entire sequence of elements, a priori, in the embedding process. • A cover is called a stream cover if the sender has no access to the entire sequence of numbers in the embedding process – for example, an application that stores information in digital audio files while they are being recorded. • With a stream cover, it may be difficult to evenly spread the secret information all over the cover and one has to insert the secret info into the stream as it is transmitted; whereas, with a random access cover, the cover bits used to hide the secret information can be evenly selected with a suitable pseudo random selection function from all parts of the cover. • The main drawback with random access covers is that the cover size is often shorter than that of stream covers; there could be chances of collisions if the same cover bit is repeatedly selected for hiding the secret information. Types of Steganography • Secret Key Steganography – The sender chooses a cover and embeds the secret message into the cover using a secret key (for example: the seed for the pseudo random number generator for the byte sequence) known only to the sender and receiver. – The receiver can only extract the hidden message if he knows the secret key. – Anyone who does not know the secret key should not be able to obtain evidence of the encoded information. – The cover and the stego-objects can be perceptually similar. – Secret key steganography requires the prior exchange of a secret key before the actual communication (subverts the original intention of invisible communication!!) – Solution: Send the secret key using public-key cryptography Public Key Steganography • Alice (sender), Bob (receiver), Wendy (attacker) • Alice encrypts the secret message with Bob’s public key to obtain a random-looking ciphertext and embeds it in the cover and transmits the same as the stego media. • Bob will first extract the hidden ciphertext from the stego media received and then decrypt the ciphertext using his private key. • The embedding/extraction algorithms and the encryption/decryption algorithms are assumed to be publicly known. • If Wendy happens to receive the Stego media, she can extract the hidden ciphertext, which will merely appear as some random bits; but, she will not be able to decrypt it. • Steganographic Key Exchange Protocol • If the public key of Bob is not known to Alice, Bob can send his public key to Alice embedded in a cover. However, this could be prone to Man-in-the-Middle attacks and to avoid such attacks, the public-key certificate of Bob has to be sent instead. • Alice could generate a session key and send it as the secret message to Bob through public key steganography. The session key could be later used for embedding the actual secret information through secret key steganography. Security of Steganography Systems • A steganography system is insecure if an attacker is able to prove the existence of a secret message. • To analyze the security of a steganography system, we must assume that an attacker has unlimited computation power and is able and willing to perform a variety of attacks. • If he cannot confirm his hypothesis that a secret a message is embedded in a cover, then a system is theoretically secure. • Perfect Security: • If the selection of a cover is represented as a random variable C, a steganography system is (theoretically) perfectly secure if the process of embedding a secret message in a cover does not alter the probability distribution of C. • The relative entropy (measure of the difference) between the probability distributions of the cover and the stego should be zero for a perfectly secure steganography system. • If the relative entropy between the two probability distributions is ≤ ε, then the steganography system is said to be ε-secure ( ε > 0). Security of Steganography Systems • Detecting Secret Messages • Type-I error: An attacker falsely detects a hidden message in a cover that does not actually contain information. • Type-II error: An attacker fails to detect a hidden message. • For a perfectly secure steganography system, the probability that an attacker makes a Type-II error is 1. • For a ε-secure steganography system with the probabilities α and β that a passive attacker makes a Type-I and Type-II error respectively, the following relationship holds. Note that for a ε-secure system, α + β need not be 1. α 1−α α log 2 + 1( −α)log 2 ≤ ε 1− β β • For ε-secure systems with no Type-I errors (i.e., α = 0), β ≥ 2-ε • If ε = 0 (i.e., perfectly secure systems for which α + β = 1), β = 1 • As ε increases, β decreases (i.e., as the probability distributions of the cover and stego become increasing dissimilar, the probability that an attacker fails to detect a hidden message decreases). Security of Steganography Systems α 1−α α log 2 + 1( −α)log 2 ≤ ε 1− β β If α + β > 1 or α + β < 1, then ε > 0. This is because either of the two terms is > 0. If α + β = 1, then ε ≥ 0. Thus, for a perfectly secure steganography system, we need the probability of a Type-1 error and probability of a Type-2 error to add up to 1. Least Significant Bit (LSB)-based Substitution • The embedding process consists of choosing a subset {j 1,…, jl(m)} of cover elements and performing the substitution operation LSB( cji) = m i (m i can be either 1 or 0). – One can also change more than one bit of the cover-element – for example, by storing two message bits in the two least significant bits of one cover- element. • In the extraction process, the LSB of the selected cover-elements are extracted and used to reconstruct the secret message. A Generic LSB-based Embedding Algorithm (LSB)-based Substitution A Generic LSB-based Extraction Algorithm • Embedding Strategies – Use every cover-element starting from the first one. Since, the number of bits in the secret message is typically less than the length of the cover, the strategy would lead to a situation where the embedding process will be finished long before the end of the cover and the first part of the cover will have different statistical properties than the second part, where no modifications have been made. Embedding Strategies for LSB- based Substitution • Random Interval Method • Both communication partners share a stego-key K that would be used as a seed for a pseudorandom number generator that can create a random sequence k1, …, kl(m) and use the cover-elements with indices j 1 = k 1; ji = j i-1 + ki, for 2 ≤ i ≤ Length(m) Embedding Algorithm Extraction Algorithm Problem of Collisions with the Random Interval Method-based LSB • Collision – One index (jk) could appear more than once in the pseudorandom sequence as the output of the pseudorandom number generator is not restricted in any way.